Hi everyone, I was toying with the idea of writing an open source client for Lemmy in React Native.

However, using lemmy-js-client, I’m getting CORS issue when trying to hit the APIs for lemmy.world (and also lemmy.ml) from the browser.

I could write a proxy server or a full backend, but that feels contrary to the fediverse philosophy of not being dependant on one instance etc. Not to mention users would have to trust me, some random person, with their logins / passwords for Lemmy.

Is there a way we can have CORS enabled from * for the APIs of lemmy.world?

  • Pekka@feddit.nl
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    The headers are set inside the Lemmy binary/docker image. So unless lemmy.world would use its own build, this has to be fixed inside the LemmyNet source code. This would probably make Lemmy vulnerable to cross-site scripting, so the security aspects should probably be discussed in on the Github project.

    • Pekka@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      I just did some more research into this:

      When a client tries to log in, the server sends a response back with a JWT token inside the body. The client then stores this token inside an isomorphic cookie. This cookie is then used to identify the user by adding it to all requests after that.

      I haven’t really checked post requests, but if it is the same So let’s say you visit website X, that has nothing to do with Lemmy, they could do a Fetch request in the background to lemmy.world to post spam on your behalf. Even a CSRF token could no longer protect you, as the website could just do a fetch request first to get a CSRF token.

      I hope I’m wrong in some way, but to me this feels like a huge security risk.